What evidence is there that this is actually the SolarWinds hackers and not someone who uploaded some random encrypted files and is hoping to trick people into sending them money?
There’s a PGP signature, but as far as I’ve head the attackers didn’t leave behind any other messages to prove it was signed with the same key.
And it does not seem a very serious attempt either. The only way to make this deal is through a single listed protonmail address that if this gets any traction will be closed in all likelihood. Not like an onion site with a contact page or something.
The message is PGP signed. If the protonmail address is taken down, then another message will be put out with alternate means of contact that will have a correct PGP signature.
If you read the message there is indeed an onion address as backup in case things get taken down.
The PGP address is the important part. No matter what gets taken down, if they can get attention to another message with a valid PGP signature, then they can carry on easily.
EDIT: This is actually how Cicada3301 of all people operated. The PGP key allowed them to post a message even on Pastebin or /x/ and they would still be contactable and effectively uncensorable, because their identity was persistent and their messages were replicated.
As a side note, with so much attention on replacing PGP, I've long though the turning point would be when a group like this uses something else. It's just a highly visible thing and it's a group that a lot of people assume know what they are doing.
There actually isn't much attention on replacing PGP with anything specific.
What other completely decentralized alternatives exist with no single point of failure? libsodium? That's a good start but a long way from a complete alternative.
Plenty of quasi-centralized encrypted chat "apps" keep pretending they offer what PGP offers. The clueful ignore these gesticulations.
Indeed, for a side project I have, I have a problem I want to be able to solve of "encrypt a file with a passphrase in a way that's secure and can be decrypted with standard tools". PGP is the best option for this, but I'm resisting implementing it in the hope I can find something better.
I've looked at 10 different tools like this, but this doesn't fall well enough into the definition i'm using of "standard tools," by which I mean something installable from apt/yum/ports on a wide variety of systems.
The closest I've found is using openssl's aes modes, but that requires the IV to be stored out-of-band somehow which is a do-able but a hassle I was hoping to avoid.
For the context right here minisign would be perfectly capable. The post on this thread is not encrypted, there's no "decentralized" relevancy. Minisign has smaller keys and forces modern technology with a far simpler format.
I've always wondered how effective this sort of info security is. Could a state actor track down there sorts of operations, or can infosec be good enough to really leave no trace?
It's not that hard to do this kind of thing without leaving any solid trace at all.
A way to do it for example would be to use a stolen credit card to subscribe to a few VPN with hops on Tor in between and use that to set up a VPS that puts this up after a few weeks
The devil is in the details, but if you're careful you can leave absolutely no trace.
Although, the more they interact with the internet, the more clues they leave behind. Things like Tor can be deanonymized, and even Tor has a warning. Quote:
"Generally it is impossible to have perfect anonymity, even with Tor."
> Although, the more they interact with the internet, the more clues they leave behind
Interacting with a tor browser would be amateurish at this point. Just connect to tor (not on a browser, tor directly), use a script to upload to some random pastebin, disconnect from tor.
Note that, for example, your isp can see whenever you are using tor or a VPN. From there, they can inspect the packets to work out what pastebin you have visited. Eg. simply by measuring how many bytes you have uploaded and then finding the paste and comparing the length of the paste with the number of uploaded bytes. (Just a basic example, there are more advanced methods). See https://witestlab.poly.edu/blog/de-anonymizing-tor-traffic-w...
This is why you don't actually post anything on pastebin yourself.
Rather, you SSH into a VPS (via multiple VPNs and Tor/I2P), then program the VPS to post your message to pastebin in a week.
And of course, you're not doing this from your home, you're doing this from the parking lot of a Starbucks in a car with tinted windows and fake plates, using a device with a spoofed MAC address.
There are many ways of pulling this off so that no one will ever be able to pin you down. You just need to pay attention to detail.
You're of course using some sort of obfuscated bridge too, so that packet sizes become meaningless.
Allright, good point. I'll concede the argument - there's fairly decent anonymity for those who use a combination of tools and know how to operate them. It's still not 100% perfect, but good enough.
Some examples where it could go wrong: what if the VPS was a honeypot? What if the VPN logged everything? What if Tor or other piece of software they are using has a 0-day? The more complexity, the more chance for a bug or mistake... and so on...
Yes, it's absolutely true that you must be very careful, and of course it's not 100% but it's 99.9999...% perfect.
That said, a VPN logging everything, or Tor being compromised, or the VPS being a honeypot wouldn't be enough to compromise you, you'd need all of them to be true simultaneously.
even better: throw away a raspberry pi that automatically connects to the McDonald's WiFi at night from the trash can. the evidence is disposed of, and surveillance captures many people throwing away trash. whose happy meal had the toy?
I think we can't know for sure unless they will release some of it like the shadow brokers did.
But the shadow brokers show that it is possible for hackers with high valuable leaks to post it for sale in the public Internet.
Usually for this kind of thing samples are provided. This attacks feels too sophisticated for a mere sale. At best, if this is legitimate, it's misdirection.
No, you cannot extract the public key from the signature. It is only telling you the fingerprint of the key the message claims to have been signed with, but there is no verification happening.
You can change part of the message or the encoded fingerprint (which is a bit longer than the portion you pasted), and it will still report it the same way.
However, you will not be able to mathematically verify that this message and another one was signed by the same key.
If you look carefully at what GPG is telling you, probably see a line like this, unless you have the key in keyring:
There’s a PGP signature, but as far as I’ve head the attackers didn’t leave behind any other messages to prove it was signed with the same key.